The Agent Skills Directory

[SAFE]: The skill's primary purpose is to assist developers in writing Semgrep rules. All tools requested (Bash, Read, Write, Edit, Glob, Grep, WebFetch) are standard for code generation and testing tasks.
[EXTERNAL_DOWNLOADS]: The skill fetches Semgrep documentation and best practices from official and trusted sources, specifically the Semgrep and Trail of Bits GitHub repositories. These downloads are used to provide the AI agent with the necessary context to generate valid rules and do not involve executable code or untrusted scripts.
[COMMAND_EXECUTION]: The skill utilizes standard Semgrep CLI commands (e.g., semgrep --test, semgrep --dump-ast) to validate and debug the generated rules. While it uses eval as an example of a dangerous sink in documentation, it does not execute eval or exec with user-provided input in its own logic. The YARA flag for eval_with_user_input in SKILL.md is a false positive triggered by instructional examples of what to detect with Semgrep.
[PROMPT_INJECTION]: No patterns of prompt injection, role-play bypass, or safety filter overrides were detected. The instructions are focused on adherence to the Semgrep rule creation workflow.
[DATA_EXFILTRATION]: No sensitive file paths are accessed, and no network operations to non-whitelisted or suspicious domains are present. Network activity is limited to fetching documentation from trusted GitHub repositories.

semgrep-rule-creator